PAM Modules

There are four types of PAM modules used to control access to services. These types correlate to different aspects of the authorization process:

NoteNote
 

An individual module can address more than one of the above module types. For instance pam_unix.so has components which address all four module types.

In a PAM configuration file, the module type is the first aspect defined. For example a typical line in a configuration may look like this:

auth      required  /lib/security/pam_unix.so

This instructs PAM to look at the auth component of the pam_unix.so module.

Stacking Modules

Modules can be stacked, or placed upon one another, so that multiple modules are used together for a particular purpose. Therefore the order in which the modules are listed is very important to the authentication process.

Stacking makes it very easy for an administrator to require several conditions to exist before allowing user authentication. For example, rlogin normally uses five stacked auth modules, as seen in its PAM configuration file:

auth       required     /lib/security/pam_nologin.so
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_env.so
auth       sufficient   /lib/security/pam_rhosts_auth.so
auth       required     /lib/security/pam_stack.so service=system-auth

Before someone is allowed to use rlogin, PAM verifies that the /etc/nologin file does not exist, that they are not trying to log in remotely as a root user over an unencrypted network connection, and that any environmental variables can be loaded. Then, a successful rhosts authentication is performed before the connection is allowed. If rhosts authentication fails, then standard password authentication is performed.

Creating Modules

New PAM modules can be added at any time, and PAM-aware applications can then use them. For example, if you create a one-time-password creation method and write a PAM module to support it, PAM-aware programs can immediately use the new module and password method without being recompiled or otherwise modified. This is very beneficial because it lets you mix-and-match, as well as test, authentication methods for different programs without recompiling them.

Documentation on writing modules is included with the system in the /usr/share/doc/pam-version-number/ directory.